An Efficient Explicit-time Description Method for Timed 

Model Checking 



Hao Wang and Wendy MacCaull 

Centre for Logic and Information 
St. Francis Xavier University 
Antigonish, Canada 

{hwang, wmaccaul}@stf x. ca 



Timed model checking, the method to formally verify real-time systems, is attracting increasing atten- 
tion from both the model checking community and the real-time community. Explicit-time descrip- 
tion methods verify real-time systems using general model constructs found in standard un-timed 
model checkers. Lamport proposed an explicit-time description method ifTTI using a clock-ticking 
process (Tick) to simulate the passage of time together with a group of global variables to model time 
requirements. Two methods, the Sync-based Explicit-time Description Method using rendezvous 
synchronization steps and the Semaphore-based Explicit-time Description Method using only one 
global variable were proposed l27ll26lk they both achieve better modularity than Lamport's method 
in modeling the real-time systems. In contrast to timed automata based model checkers like UPPAAL 
0, explicit-time description methods can access and store the current time instant for future calcula- 
tions necessary for many real-time systems, especially those with pre-emptive scheduling. However, 
the Tick process in the above three methods increments the time by one unit in each tick; the state 
spaces therefore grow relatively fast as the time parameters increase, a problem when the system's 
time period is relatively long. In this paper, we propose a more efficient method which enables the 
Tick process to leap multiple time units in one tick. Preliminary experimental results in a high perfor- 
mance computing environment show that this new method significantly reduces the state space and 
improves both the time and memory efficiency. 



1 Introduction 

Model checking is an automatic analysis method which explores all possible states of a modeled system 
to verify whether the system satisfies a formally specified property. It was popularized in industrial 
applications, e.g., for computer hardware and software, and has great potential for modeling complex and 
distributed business processes. Timed model checking, the method to formally verify real-time systems, 
is attracting increasing attention from both the model checking community and the real-time community. 
However, standard model checkers like SPIN |fl~51 and SMV |[T9l can generally only represent and verify 
the qualitative relations between events, which constrains their use for real-time systems. Quantified 
time notions, including time instant and duration, must be taken into account for timed model checking. 
For example in a safety critical application such as in an emergency department, after an emergency case 
arrives at the hospital, standard model checking can only verify whether "the patient receives a certain 
treatment", but to save the patient's life, it should be verified whether "the patient receives a certain 
treatment within 1 hour". 

Many formalisms with time extensions have been presented as the basis for timed model checkers. 
Two popular ones are: (1) timed automata [4 ], which is an extension of finite-state automata with a set of 
clock variables to keep track of time; (2) time Petri Nets l20l . which is an extension of the Petri Nets with 
timing constraints on the firings of transitions. Various translation methods have been presented between 
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time Petri Nets to timed automata E2l in order to apply time-automata-based methods to time Petri Nets. 
UPPAAL Q and KRONOS ll28l are two well-known timed automata based model checkers; they have 
been successfully applied to various real-time controllers and communication protocols. Conventional 
temporal logics like Linear Temporal Logic (LTL) or Computation Tree Logic (CTL) must be extended 
151 to handle the specification of properties of timed automata. In order to handle continuous-time se- 
mantics, specialized data structures are needed to represent real clock variables, e.g. Difference Bounded 
Matrices HH (employed by UPPAAL and KRONOS). 

The foundation for the decidability results in timed automata is based on the notion of region equiva- 
lence over the clock assignment [81 . Models in a timed automata based model checker can not represent 
at which time instant a transition is executed within a time region; such model checkers can only deal 
with a specification involving a time region or a pre-specified time instant and cannot store the exact 
time instant when the transition is executed. However, many real-time systems, especially those with 
pre-emptive scheduling, need this information for succeeding calculations. For example, triage is widely 
practiced in medical procedures; the caregiver C may be administering some required but non-critical 
treatment on patient A when another patient B presents with a critical situation, such as a cardiac arrest. 
C then must move to the higher priority task of treating B, but it is necessary to store the elapsed time 
of A's treatment to determine how much time is still needed or else the treatment must be restarted. The 
stop-watch automata O, an extension of timed automata, is proposed to tackle this; unfortunately as 
Krcal and Yi discussed in iTToTl . since the reachability problem for this class of automata is undecidable, 
there is no guarantee for termination in the general case. 

Lamport 11171 advocated explicit-time description methods using general model constructs, e.g., global 
integer variables or synchronization between processes commonly found in standard un-timed model 
checkers, to realize timed model checking. He presented an explicit-time description method, which 
we refer to as LEDM, using a clock-ticking process {Tick) to simulate the passage of time, and a pair 
of global variables to store the time lower and upper bounds for each modeled system process. The 
method has been implemented with popular model checkers SPIN (sequential) and SMV. We presented 
two methods, (1) the Sync-based Explicit-time Description Method (SEDM) [271 using rendezvous syn- 
chronization steps between the Tick and each of the system processes; and (2) the Semaphore-based 
Explicit-time Description Method (SMEDM) |26) using only one global semaphore variable. Both these 
methods enable the time lower and upper bounds to be denned locally in system processes so that they 
provide better modularity in system modeling and facilitate the use of more complex timing constraints. 
Our experiments |[26l 1271 showed that the time and memory efficiencies of these two methods are com- 
parable to that of LEDM. 

The explicit-time description methods have three advantages over timed-automata-based model check- 
ers: (1) they do not need specialized languages or tools for time description so they can be applied in 
standard un-timed model checkers. Recently, Van den Berg et al. 13 successfully applied LEDM to ver- 
ify the safety of railway interlockings for one of Australia's largest railway companies; (2) they enable 
the accessing and storing of the current time |[26l . a useful feature for pre-emptive scheduling problems; 
and (3) they enable the usage of large-scale distributed model checkers, e.g., DiVinE, for timed model 
checking. 

Orthogonally, model checking has been studied in parallel and distributed computing platforms. Be- 
cause real world models often come with gigantic state spaces which can not fit into the memory of a 
standard computer, inevitably a portion of the state space needs to be accessed from the secondary storage 
and the model checking algorithm becomes very slow iflOl . This problem is known as state explosion. 
Large-scale analysis is needed in many practical cases. Distributed model checkers exploit the power of 
distributed computing facilities so that much larger memory is available to accommodate the state space 
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of the system model; parallel processing of the states can, moreover, reduce the verification time. Our 
experiments ||271 compared the time efficiency between the sequential SPIN and DiVinE (2[, a well- 
known distributed model checker. When using the same explicit-time description method, DiVinE can 
verify much larger models and finish the verification for models of the same size in significantly less 
time than SPIN. 

In this paper, we present a new explicit-time description method called Efficient Explicit-time De- 
scription Method (EEDM). We found that the former three methods (LEDM, SEDM and SMEDM) 
suffer from one common problem: as the Tick process increments the time by one unit in each tick, 
the state space grows relatively fast as the time parameters increase. E.g., in our experiment [26] using 
LEDM, the number of states doubles as time bounds grow from 12 to 14. In the new EEDM, the Tick 
can increment the time in two modes: the standard mode and the leaping mode. When it is necessary 
to store the current time to allow access for future calculations, it ticks in the standard mode; otherwise, 
it ticks in the leaping mode. For each system process, we define one global variable indicating whether 
the process needs to store and access the current time, allowing the Tick process to switch between the 
standard mode and the leaping mode. For the experiments, we continue using DiVinE (the method is 
also applicable to other standard model checkers); the results show that: in the leaping mode, the number 
of states can be reduced significantly, so it is much less affected by the increase of time parameters; in 
the standard mode, the time and memory efficiencies are comparable with the former methods. 

The remainder of the paper is organized as follows. Section|2]gives background information with re- 
spect to the DiVinE model checker. The new explicit-time description method implemented in DiVinE 
is presented in Section [3j for comparison, LEDM is also briefly described in the same section. Section [4] 
describes our experiments and the results. Section[5]concludes the paper. 

2 Preliminaries 

Section 12.11 is adapted from l25l ; the syntax outlined in Section 12.21 while incomplete, is meant for the 
presentation of the time-explicit description methods; the complete description can be found in Q. 

2.1 Distributed Model Checking Algorithms in DiVinE 

DiVinE is an explicit-state LTL model checker based on the automata-based procedure by Vardi and 
Wolper ll24l . The property to be specified is described by an LTL formula. In LTL model checking, 
all efficient sequential algorithms are based on the postorder exploration as computed by a depth-first 
search (DFS) of the state space. However, computing DFS postorder is P-complete ll23l . so no benefit in 
terms of either time or space will result from parallelization of this type of algorithm. 

Two algorithms, OWCTY and MAP ||6), are introduced in DiVinE. The sequential complexity of 
each is worse than that of the DFS-based algorithms but both can be efficiently implemented in parallel. 
OWCTY, or One Way to Catch Them Young, is based on the fact that a directed graph can be topologically 
sorted if and only if it is acyclic. The algorithm applies a standard linear topological sort algorithm to 
the graph. Failure in the sorting means the graph contains a cycle. Accepting cycles are detected with 
multiple rounds of the sorting. MAP, or Maximal Accepting Predecessors, is based on the fact that 
each accepting vertex in an accepting cycle is its own predecessor. To improve memory efficiency, 
the algorithm only stores a single representative accepting predecessor for each vertex by choosing the 
maximal one in a linear ordering of vertices. 

These two algorithms are preferable in different cases. If the property of a model is expected to hold, 
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and the state space can fit completely into (distributed) memory, OWCTY is preferable as it is three 
times faster than MAP to explore the whole state space. On the other hand, MAP can generally find a 
counterexample (if it exists) more quickly as it works on-the-fly. 

2.2 D i VinE Modeling Language 

DVE is the modeling language of DiVinE. Like in Promela (the modeling language of SPIN), a model 
described in DVE consists of processes, message channels and variables. Each process, identified by a 
unique name procid, consists of lists of local variable declarations and state declarations, the initial state 
declaration and a list of transitions. 

A transition transfers the process state from stateid\ to stateid2- The transition may contain a guard 
(which decides whether the transition can be executed), a synchronization (which communicates data 
with another process) and an effect (which assigns new values to local or global variables). So we have 

Transition : := stateid\ -> stateid2 { Guard Sync Effect } 

The Guard contains the keyword guard followed by a boolean expression and the Effect contains 
the keyword effect followed by a list of assignments. The Sync follows the denotation for communi- 
cation in CSP, ' !' for the sender and '?' for the receiver. The synchronization can be either asynchronous 
or rendezvous. Value(s) is transferred in the channel identified by chanid. So we have 

Sync : := sync chanid ! SyncValue | chanid ? SyncValue ; 

A property process is automatically generated for the corresponding property written as an LTL 
formula. Modeled system processes and the property process progress synchronously, so the latter can 
observe the system's behavior step by step and catch errors. 

3 Explicit-Time Description Methods 

With explicit-time description methods, the passage of time and timed quantified values can be expressed 
in un-timed languages and properties to be specified can be expressed in conventional temporal logics. 
This section describes Lamport's LEDM before detailing our new EEDM. At the end of this section, we 
study a small pre-emptive example with respect to explicit-time description methods. 

3.1 The Lamport Explicit-time Description Method 

In LEDM, current time is represented with a global variable now that is incremented by an added Tick 
process. As we mentioned earlier, standard model checkers can only deal with integer variables, and a 
real-time system can only be modeled in discrete-time using an explicit-time description. So the Tick 
process increments now by 1 . Note that in explicit-time description methods for standard model check- 
ers, the real- valued time variables must be replaced by integer- valued ones. Therefore, these methods in 
general do not preserve the continuous-time semantics; otherwise an inherently infinite-state specifica- 
tion will be produced and the verification will be undecidable. However, they are sound for a commonly 
used class of real-time systems and their properties lfl4ll . 

Placing lower-bound and upper-bound timing constraints on transitions in processes is the common 
way to model real-time systems. Figure [TJ shows a simple example of only two transitions: transition 
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Figure 1 : States and Timeline of process P, 

T A : stateidi -> stateid m is followed by the transition Tg: stateid m -> stateid,, . An upper-bound timing 
constraint on when transition Tg must occur is expressed by a guard on the transition in the Tick process 
so as to prevent an increase in time from violating the constraint. A lower-bound constraint on when 
transition Tg may occur is expressed by a guard on Tg so it cannot be executed earlier than it should be. 
Each system process P; has a pair of count-down timers denoted as global variables ubtimer^ and Ibtimeri 
for the timing constraints on its transitions. A large enough integer constant, denoted as INFINITY, is 
defined. All upper bound timers are initialized to INFINITY and all lower bound timers are initialized 
to zero. Upper bound timers with the value of INFINITY are not active and the Tick process will not 
decrement them. For transition Tg, the timers will be set to the correct values by Za'. stateidi -> stateid m . 
As now is incremented by 1, each non-INFINITY ubtimer and non-zero lbtimer is decremented by 1. 

process P_Tick { 
state tick; 
init tick; 
trans 

tick -> tick { guard all ubtimers > 0; 

effect now = now + 1, 

decrements all timers; } ; 

} 

Figure 2: Tick process in DVE for LEDM 

In FigureQ} initially, {ubtimer 7, lbtimer 7) is set to (INFINITY, 0). Transition Za is executed at time 
instant to, and (ubtimer Ibtimeri) is set to (£ 2 ,£i)- After £1 time units, i.e., at time instant t\ when 
{ubtimer Ibtimeri) is equal to (£2 — <^i,0), transition Tg is enabled. Both timers will be reset or set to 
new time bounds after the execution of Tg. If transition Tg is still not executed when the time reaches ti 
and ubtimerj is equal to 0, the transition in the Tick process is disabled. This forces transition Tg (it is 
the only transition possible at this time) to set the ubtimerj ; then the Tick process can start again. In this 
way, the time upper-bound constraint is realized. The Tick process and the system process P t in DVE are 
described in Figure [2] and Figure [3] 

We observe that the value of now is limited by the size of type integer and careless incrementing 
can cause overflow error. This can be avoided by incrementing now using modular arithmetic, i.e., setting 
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process P_i { 
state .... 



state_l, state_m, stateji; 



init 



trans 



-> 



statejn 



state_l 



-> state_m { . . . ; 

effect set timers for transition Tg;}, 
-> state_n { guard lbtimer[/]==0 ; effect ... ; }, 



-> 



} 



Figure 3: System process P; in DVE for LEDM 



now = (now + 1 ) mod MAXIMAL (MAXIMAL is the maximal integer value supported by the model checker). 
The value limit can also be increased by linking several integers, i.e., every time Qnt\+1) mod MAXIMAL 
becomes zero again, int 2 increments by 1, and so on. Note that the variable now is only incremented in 
the Tick process and does not appear in any other process. So for general system models in which time 
lower and upper bounds suffice, the variable now should be removed. 

3.2 The New Efficient Explicit- Time Description Method 

This section is organized as follows. First, we describe the leaping mode and the standard mode of the 
new EEDM in section IT. 2. 1 1 and [3.2.21 respectively. Second, we present some discussions (clarifications) 
of issues on EDMs and EEDM in section 13.2.31 Finally, a pre-emptive scheduling modeling example 
using EEDM is described in section l3~.2.4l 

3.2.1 Leaping Ticks 

All aforementioned explicit-time description methods (LEDM, SEDM and SMEDM) increase now by 
1 each tick. On the other hand, consider Figure HJ we observe that when the system contains only one 
process, p, after to, Tg cannot be executed until time reaches t 2 . Therefore, the ticks between tQ and 
t\ serve no purpose; optimally, the Tick process should directly "leap" to t 2 . Similarly, Tg is enabled 
between t 2 and t$, so either Tg is executed before ? 4 or time reaches t 4 and Tg's execution is forced; 
therefore, the Tick process can leap to ?4 from t 2 . When we include Pj, after to, the Tick should first leap 
to t\ so Pj can enable transition Tc; then it should leap to t 2 and so on. 

Based on these observations, in the new EEDM, we use one global count-down timer for each system 
process, e.g., timers for P; in Figure|4]is set to %\ on to and to B, 2 — %\ on t 2 . The Tick process increments 
now by the value of the smallest timer on condition that no timer equals zero and at least one timer is 
non-INFINITY. In fact, the Tick process, leaping in this way, is running in the leaping mode; the Tick 
process in leaping mode and the corresponding system process p in DVE are described in Figure [5] and 
Figure [6] (N is the number of system processes). 

3.2.2 To Know the Current Time Instant 



Careful readers may notice that there is one penalty for Tick to leap: the actual time instant when Tg is 
executed is unknown unless it is at t$. In fact, in the leaping mode, it is only known that a transition is 
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time 


1 


t1 


t3 " 



Tc 



Pj 



Figure 4: Timeline of process P; and Pj 



process P_Tick { 
state tick; 
init tick; 
trans 

tick -> tick { guard (Aijv(timer[i] > 0)) A (Vi..jv(timer[/] 7^ INFINITY)); 
effect now = now + minijv(timer[/]) , 

decrement all timers by mini n (timer [/]);} ; 

} 

Figure 5: Tick process in leaping mode in DVE for EEDM 

process P_i { 

state state_l, state_ml, state_m2, state_n, ...; 

init . . . ; 

trans 

-> ... , 

state_l -> state_ml { ...; effect timer [i] =£1 ; }, 

state_ml -> state_m2 { guard timer [i]=0; effect timer [i] =£2 — £1 ; }, 
state_m2 -> state_n { executes Tg and resets timer[/]; }, 
-> ... ; 

} 

Figure 6: System process Pj in DVE for EEDM 



executed between the two closest ticks that nest the transition. Consider the example in Figure 01 the Tick 
will sequentially leap from to through t^, x% may be executed on: (1) some time instant between ?2 and ty, 
or (2) some time instant between t$ and fy; or (3) the time instant of £4. However, as we discussed earlier 
in Section[T]and in |[26l . in many systems, especially those with pre-emptive scheduling, it is necessary 
to know the actual time instant when the transition is executed. 

To overcome this problem, we allow the Tick process to run in the standard mode. We define a global 
signal variable for each system process. All signals are set to at the initial state. Whenever a system 
process P, requires the current time for future calculation, signal should be set to 1; the Tick process 
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process P_Tick { 
state tick; 
init tick; 
trans 

tick -> tick { 

guard (Ai.jv(timer[z] > 0)) A (V i.jv (timer [/] ^ INFINITY)) A (Ai.jv(signal[/] ==0)); 
effect now = now + minuv(timer[/]) , 

decrement all timers by minuv(timer[/]) ; } , 
tick -> tick { 

guard (Ai.jv(timer[z] > 0)) A (V i.jv (timer [/] ^ INFINITY)) A (Vi.jv(signal[/] == 1)); 
effect now = now+\, 

decrement all timers by 1 ; } ; 

} 

Figure 7: Tick process in standard mode in DVE for EEDM 

process P_i { 

state state_l, state_ml, state_m2, state_n, ...; 

init . . . ; 

trans 

-> ... , 

state_l -> state_ml { ...; effect timer [i] =i§i ;} , 
state_ml -> state_m2 { guard timer [i]=0; 

effect timer [i] =1^2 — ^1 > signal [i]=l; }, 
state_m2 -> state_n { executes Tg and resets timer[/], signal [i]=0; }, 
-> ... ; 

} 

Figure 8: System process Pi to illustrate the standard mode 



in turn will run in the standard mode with which it will increment now by 1 in each tick. E.g., when 
time reaches ti in Figure HI Pfs signal signal ) is set to 1 in order to store the time instant at which Tb is 
executed; when time reaches 24, signal is set back to so that the Tick switches back to leaping mode. 
Both the Tick process and the system process need to be updated to incorporate the standard mode, see 
Figure |7] and Figured) 



3.2.3 Issues on EDMs and EEDM 

Readers may be concerned about the verification capability of explicit-time description methods. As in 
our earlier discussion, EDMs simulate a discrete timer by making use of existing constructs in standard 
un-timed model checkers; in other words, time is just another normal variable in an un-timed model. 
Therefore, EDMs are not affected by verification issues such as whether the property is specified as 
an LTL or CTL formula or whether the property is verified using explicit-state based (e.g., Spin) or 
symbolic model checking (e.g., SMV) algorithms. These verification issues depend on what standard 
un-timed model checker is used. 

Discrete timed model checkers suffer from a common problem: how to find the right time quantum 
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(granularity) that does not mask errors. E.g., for processes in a hospital, a time unit defined as a day will 
definitely mask an error which violates the property "the patient receives a certain treatment within 1 
hour". On the other hand, the state space can easily blow up if a finer time unit is used. Readers may be 
concerned that the introduction of leaping ticks may add to this problem. Actually, leaping ticks do not 
musk errors in this aspect. The difference between LEDM and EEDM in leaping mode is that EEDM 
in leaping mode cannot record and use the exact time instant when a transition is executed in the model 
or the specified properties. For example, the LTL property that b becomes true before 10 time units 
have elapsed since Tg is executed cannot be verified using EEDM in leaping mode. For this reason, we 
introduce the mode-switching mechanism in EEDM. 

To reduce the state space, Lamport lfl7l proposed the use of view symmetry, which is equivalent 
to abstraction for a symmetric specification S. Abstraction consists of checking S by model checking 
a different specification A called an abstraction of S. This technique has two restrictions: (1) the now 
variable must be eliminated, which means the current time instant is not accessible in this case; (2) 
if the model checker does not support checking under view symmetry or abstraction, the abstraction 
specification A must be constructed by hand. In addition, this reduction technique is orthogonal to our 
EEDM, i.e., we can use Lamport's abstraction technique in conjunction with EEDM. 

The idea of leaping ticks in EEDM is quite similar to the notion of time regions in time-automata- 
based model checkers, which advances time up to the point where a transition must be executed in 
order not to violate the invariant defined on the corresponding state. However, the implementations are 
fundamentally different: time-automata-based model checkers introduce specialized data structures lfl6l 
to store time regions and use symbolic model checking algorithms extended for time; on the other hand, 
EEDM, as with LEDM, only uses an explicit tick process and some global variables, and the leaping 
way of advancing time is obtained by letting the tick leap to the next closest time bound of all systems 
processes. 

3.2.4 To Know The Current Time Instant: A Pre-emptive Scheduling Example 

Following the triage example described in Section[U we consider a system of multiple parallel tasks with 
different priorities, assuming that the right to an exclusive resource is deprivable, i.e., a higher priority 
task B may deprive the resource from the currently running task A. In this case, the elapsed time of A's 
execution must be stored for a future resumed execution. 

Figure [9] shows a portion of a state transition diagram for task A, assuming A needs the exclusive 
resource R for 10 time units; when R becomes available at time instant to, A starts its execution by 
entering the state Exec; at time instant t\, B deprives A's right to R, and A changes to the state Deprived 
and stores the elapsed t\ — to time units; when R becomes available again, A resumes it execution to state 
Exec for the remaining 10 — {t\ — to) units. Implementation of this example using any one of the three 
explicit-time description methods is straightforward. Figure [10] shows the process for task A in DVE 
using EEDM (assuming A has the lowest priority). 

4 Experiments 
4.1 Overview 

For the convenience of comparison with LEDM in DiVinE, we use the Fischer's mutual exclusion al- 
gorithm as in E71 |[26l : this algorithm is a well-known benchmark for timed model checking. The 
description of the algorithm below is adapted from ifTTl . Our experiment is to model the algorithm in 
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Figure 9: An Example Case of Pre-emptive Scheduling 



byte isROccupied=0 ; //0 means available 
process A { 

def ault (Tag , tag a ) 

int timeToGo=10; 

state s_i, s_Exec, s_Deprived, 

init . . . ; 

trans 

... -> . . . ; 
s_i -> s_Exec { 

guard isROccupied==0 ; 

effect isRDccupied=Tag, timer [A] =timeToGo , signal [A] =1; 
s_Exec -> s_Deprived { 

guard isROccupied=Tag && timer [A] >0; 

effect timeToGD=timer [A] ; }, 
s_Deprived -> s_Exec { 

guard isROccupied==0 ; 

effect isROccupied=Tag, timer [A] =timeToGo ; }, 
s_Exec -> s_Next { 

guard timer [A] ==0; 

effect isROccupied=0 , signal [A] =0; }, 
... -> . . . ; 

} 

Figure 10: Process in DVE for Pre-emptive Scheduling Example using EEDM 



DiVinE using EEDM in both standard and leaping modes, and compare the time and memory efficiency 
and size of state space with that of LEDM (we omit the experiments for SEDM and SMEDM because 
they are comparable with LEDM in the aforementioned three numeric criteria). 
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Fischer's algorithm is a shared-memory, multi-threaded algorithm. It uses a shared variable x whose 
value is either a thread identifier (starting from 1) or zero; its initial value is zero. For the convenience of 
specification of the safety property in our experiments, we use a counter c to count the number of threads 
that are in the critical section. The program for thread t is described in Figure QT] 

ncs: noncritical section; 
a: wait until x = 0; 

b: x := t; 

c: if x / t then goto a; 

cs: critical section; 
d: x := 0; goto ncs; 

Figure 11: Program of thread t in Fischer's algorithm 

The timing constraints are: first, step b must be executed at most 8% time units (as an upper bound) 
after the preceding execution of step a; second, step c cannot be executed until at least Sf. time units (as 
a lower bound) after the preceding execution of step b. For step c, there is an additional upper bound 
8" to ensure fairness, i.e., step c will eventually be executed. The algorithm is tested for 6 threads. The 
safety property to be verified, "no more than one process can be in the critical section" , is specified as 
G(c < 2) for the model. 

Version 0.8.1 of the DlVlNE-Cluster is used. This version has the new feature of pre-compiling the 
model in DVE into dynamically linked C functions; this feature speeds up the state space generation 
significantly. As the example property is known to hold, the OWCTY algorithm is chosen for better time 
efficiency. 

All experiments are executed on the Mahone cluster of ACEnet [11, the high performance computing 
consortium for universities in Atlantic Canada. The cluster is a Parallel Sun x4100 AMD Opteron (dual- 
core) cluster equipped with Myri-lOG interconnection. Parallel jobs are assigned using the Open MPI 
library. 

4.2 Experiment 1 

For the first experiment, we use the same value for three constraints, i.e., 8g = 8 l c = 8" = T. Figure [12] 
compares time and memory efficiency for the two explicit-time description methods with 16 CPUs. 

We can see the significant advantage of EEDM in leaping mode: the number of states, verification 
time and memory usage remain virtually the same for all Ts. Remark that all timing bounds are the same 
for all threads; the Tick process always leaps T time units in each tick (it ticks only when there is at least 
one active timer). Therefore, changing the value of T will not change the number of states. 

Now we compare LEDM and EEDM in standard mode. Let states(X) be the number of states of 
method X. We can see that, after T = 3, states (EEDM standard ) > states(LEDM). As T increases from 
2 to 9, states (EEDM standard ) increases by a factor of 564.9 while states (LEDM) increases by a factor 
of only 82.2; a comparison of the verification time yields similar results. The system process in EEDM 
has more transitions than LEDM because there is only one timer for each system process and a timer 
needs to be assigned twice if the next transition has both lower and upper bounds (e.g. Tg of P; in Figure 
01 timer [i] is assigned to be £i and <^ 2 — £i at tQ and t 2 respectively); on the other hand, LEDM has two 
timers for each system process so assigning both bounds can be made in one step. 
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Figure 12: Number of states, Time (in seconds) and memory usage (in MB) for Experiment 1 



4.3 Experiment 2 

For the second experiment, we set 8% and 8 l c to 4 and vary 8". Figure [l3]compares the number of states, 
time and memory efficiency for the two explicit-time description methods with 16 CPUs. Figure [T4l 
shows how the size of the state space and verification time grow as 8" increases. The extra experimental 
data for 5" = {13, 14, 15, 16} are intended to articulate the growing pattern of the state space of EEDM 
in leaping mode. 
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Figure 13: Number of states, Time (in seconds) and memory usage (in MB) for Experiment 2 



As opposed to the results in experiment 1, in this experiment EEDM in standard mode performs 
better than LEDM. We can see that after 8" = 9, states (EEDM sta ndard) < states(LEDM); as the model 
becomes larger, states (EEDM standard ) increases more slowly than states (LEDM). In fact, as 8" in- 
creases from 5 to 12, states(LEDM) increases by a factor of 72.8 while states(EEDM standard ) increases 
by a factor of only 14.2; we can see similar comparison results in terms of the verification time. 
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Figure 14: Number of states and Time (in seconds) for Experiment 2 



EEDM in leaping mode still shows much better performance than LEDM and EEDM in standard 
mode; states (EEDM leapln g) also shows an interesting phenomenon as 8" increases. The number of 
states of both EEDM in standard mode and LEDM increase at a relatively more steady speed: as 8" in- 
creases by 1, states (EEDM standard ) increases by a factor of about 1.45 and states(LEDM) increases 
by a factor of about 1.8. On the other hand, the increments of states (EEDM leaplng ) are grouped 
by the value of s = (8" mod 8*). We can see that, for the same [jr\, states(EEDM leapin g) s=0 < 
states(EEDM leapin g) s= 2 < states (EEDM leaping ) s= i < states(EEDM leaping ) s= 3. For s = 0, whenever 
there is more than one active timer, their values are integer multiples of 8' c (4 in this experiment), so the 
Tick still leaps at least 4 time units each tick; in the case of s = 2, the Tick leaps at least 2 time units each 
tick. On the other hand, for s = 1 and s = 3, in the worst case, the Tick leaps only 1 time units each tick. 
From these observations, we can conclude that EEDM in leaping mode performs better the greater the 
greatest common divisor (gcd) of all timing bounds of all system processes. 



5 Conclusion 

In this paper, we present a new explicit-time description method, Efficient Explicit-time Description 
Method (EEDM) which is significantly more efficient than LEDM, SEDM and SMEDM. In addition to 
the improved efficiency, EEDM still retains the ability to store and access the current time for future 
calculations in the system model. Altogether, we have devised methods that have advantages in different 
aspects of real-time modeling: SEDM and SMEDM have better modularity and adaptability; EEDM is 
more efficient. These explicit-time description methods provide systematic ways to represent discrete 
time in un-timed model checkers like SPIN, SMV and DiVinE. 

In fact, the explicit-time description methods are intended to offer more options for the verification 
of real-time systems. First, as Van den Berg et al. mention in 0, in some real- world scenarios when 
significant resources have been invested into the model for a standard model checker, it is much easier and 
therefore preferable to extend the existing model to represent time notions rather than re-modeling the 
entire system for a specialized timed model checker. Second, explicit-time description methods provide 
a solution for accessing and storing the current clock value for timed-automata-based model checkers. 
Last and most important, explicit-time description methods, especially the EEDM, enable the usage of 
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large-scale distributed model checkers so that we can verify much bigger real-time systems. 

This research is part of an ambitious research and development project, Building Decision-support 
through Dynamic Workflow Systems for Health Care ll2TTl . Real world workflow processes can be highly 
dynamic and complex in a health care setting. Verification that the system meets its specifications is 
essential. Standard workflow patterns are widely used in business processes modeling, so we have trans- 
lated most of the control-flow patterns into DVE and applied them in verifying two small process models 
|[T8l . As a continuous effort, we will incorporate explicit-time description methods into workflow pat- 
terns' DVE specification and verify a larger model of the real- world healthcare processes with timing 
information. 

As a more complex case study of EEDM, we are now building a pre-emptive scheduling model in 
the setting of the Dynamic Voltage Scaling (DVS) technique. We also plan to study the possibility of 
applying different abstraction techniques to the explicit-time description methods: Dutertre and Sorea 
|[T3l and Clarke et al. ITTl recently presented two different abstraction techniques for timed automata 
and the abstraction outcome can be verified using un-timed model checkers. 
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